From 268adbcf7edcc5166da4b63073f00d4c40922c44 Mon Sep 17 00:00:00 2001 From: Matthias Grundmann Date: Tue, 12 Jun 2018 17:35:57 +0200 Subject: [PATCH 1/3] Move assignments to correct package so that hints are shown --- .../{introduction => advanced}/SqlInjectionLesson6a.java | 4 ++-- .../{introduction => advanced}/SqlInjectionLesson6b.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) rename webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/{introduction => advanced}/SqlInjectionLesson6a.java (97%) rename webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/{introduction => advanced}/SqlInjectionLesson6b.java (98%) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java similarity index 97% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java index 136723f8d..dd31c61cc 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java @@ -1,10 +1,11 @@ -package org.owasp.webgoat.plugin.introduction; +package org.owasp.webgoat.plugin.advanced; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a; import org.owasp.webgoat.session.DatabaseUtilities; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @@ -55,7 +56,6 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { AttackResult completed(@RequestParam String userid_6a) throws IOException { return injectableQuery(userid_6a); // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- - } protected AttackResult injectableQuery(String accountName) { diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java similarity index 98% rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java rename to webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java index 77bd7b66e..74fc5d2ad 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6b.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java @@ -1,5 +1,5 @@ -package org.owasp.webgoat.plugin.introduction; +package org.owasp.webgoat.plugin.advanced; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; From 56fc983414b130445fba3b8dfb8f2813f60e450c Mon Sep 17 00:00:00 2001 From: Matthias Grundmann Date: Tue, 12 Jun 2018 17:36:44 +0200 Subject: [PATCH 2/3] Update database layout so that proposed solution works --- .../java/org/owasp/webgoat/session/CreateDB.java | 12 ++++++------ .../lessonPlans/en/SqlInjection_content6a.adoc | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java index 1805bd161..d658b072a 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java @@ -232,7 +232,7 @@ public class CreateDB { // Create the new table try { - String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key," + String createTableStatement = "CREATE TABLE user_system_data (" + "userid int not null primary key," + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")"; statement.executeUpdate(createTableStatement); } catch (SQLException e) { @@ -240,11 +240,11 @@ public class CreateDB { } // Populate - String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')"; - String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')"; - String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')"; - String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')"; - String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')"; + String insertData1 = "INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', '')"; + String insertData2 = "INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', '')"; + String insertData3 = "INSERT INTO user_system_data VALUES (103,'jplane','passwd3', '')"; + String insertData4 = "INSERT INTO user_system_data VALUES (104,'jeff','jeff', '')"; + String insertData5 = "INSERT INTO user_system_data VALUES (105,'dave','passW0rD', '')"; statement.executeUpdate(insertData1); statement.executeUpdate(insertData2); statement.executeUpdate(insertData3); diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc index 17e5a279d..fde2040a3 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc @@ -3,7 +3,7 @@ Lets try to exploit a join to another table. One of the tables in the WebGoat database is: ------------------------------------------------------- -CREATE TABLE user_system_data (userid varchar(5) not null primary key, +CREATE TABLE user_system_data (userid int not null primary key, user_name varchar(12), password varchar(10), cookie varchar(30)); From b47bb96534021e81dd07d8a557c45a3ce0c96fcf Mon Sep 17 00:00:00 2001 From: Matthias Grundmann Date: Wed, 13 Jun 2018 16:11:28 +0200 Subject: [PATCH 3/3] Update changed password in tests --- .../webgoat/plugin/introduction/SqlInjectionLesson6aTest.java | 2 +- .../webgoat/plugin/introduction/SqlInjectionLesson6bTest.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java index 3500b8efa..344db1dbe 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java @@ -64,7 +64,7 @@ public class SqlInjectionLesson6aTest extends LessonTest { .andExpect(status().isOk()) .andExpect(jsonPath("$.lessonCompleted", is(true))) - .andExpect(jsonPath("$.feedback", containsString("dave"))); + .andExpect(jsonPath("$.feedback", containsString("passW0rD"))); } @Test diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java index a7abd0d61..7341a6d3a 100644 --- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java +++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java @@ -30,7 +30,7 @@ public class SqlInjectionLesson6bTest extends LessonTest { @Test public void submitCorrectPassword() throws Exception { mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b") - .param("userid_6b", "dave")) + .param("userid_6b", "passW0rD")) .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); }